chore(template): sync from mcp-ecosystem#26
Conversation
There was a problem hiding this comment.
Pull request overview
Syncs shared workflow/config/template baselines from verygoodplugins/mcp-ecosystem to reduce drift and align automation across repos.
Changes:
- Updates Python dependency baseline in
pyproject.toml(notablymcprequirement). - Refreshes GitHub Actions workflows (CI, security scanning, and release/publish pipeline).
- Adds a Dependabot auto-merge workflow and adjusts Dependabot grouping/config.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| pyproject.toml | Updates runtime dependency constraint for mcp. |
| .github/workflows/security.yml | Updates action versions and modifies pip-audit/bandit execution behavior. |
| .github/workflows/ci.yml | Adds Python version matrix, ruff+pytest+coverage+codecov steps, and updates action versions. |
| .github/workflows/release.yml | Replaces Release Please flow with tag-triggered build + PyPI Trusted Publishing + GitHub Release. |
| .github/workflows/pr-title.yml | Tweaks Conventional Commit guidance/examples for PR titles. |
| .github/workflows/dependabot-auto-merge.yml | Introduces workflow to auto-approve/enable auto-merge for eligible Dependabot PRs. |
| .github/dependabot.yml | Adjusts grouping configuration and removes GitHub Actions ecosystem updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| - name: Run bandit | ||
| run: bandit -r . -x .venv,tests -ll | ||
| run: bandit -r src/ -ll |
There was a problem hiding this comment.
bandit is configured to scan src/, but this repository doesn’t have a src/ directory, so the scan will either error or effectively scan nothing (and with continue-on-error: true this can silently mask that). Update the scan target to match the actual code layout (e.g., repo root with appropriate excludes, or the real package/module directories).
| run: bandit -r src/ -ll | |
| run: bandit -r . -ll |
|
|
||
| - name: Audit dependencies | ||
| run: pip-audit | ||
| continue-on-error: true |
There was a problem hiding this comment.
continue-on-error: true on dependency auditing means the Security workflow will pass even when vulnerabilities are found. If the intent is to enforce a security gate on PRs/main, remove continue-on-error (or gate it to non-default branches / scheduled runs only).
| continue-on-error: true |
|
|
||
| - name: Test with pytest | ||
| run: | | ||
| pip install pytest pytest-asyncio pytest-cov |
There was a problem hiding this comment.
Similarly, pytest/pytest-asyncio/pytest-cov are installed again even though they’re already part of the .[dev] extras installed earlier. This adds time and can cause CI to use different versions than local/dev. Prefer removing this extra install (or pinning explicitly if intended).
| pip install pytest pytest-asyncio pytest-cov |
| dependency-type: "development" | ||
| commit-message: | ||
| prefix: "chore(deps)" | ||
| open-pull-requests-limit: 10 |
There was a problem hiding this comment.
This change removes Dependabot updates for the github-actions ecosystem. If actions versions are not managed elsewhere, this will stop automated security/version updates for workflow actions; consider re-adding the github-actions entry or documenting the replacement update mechanism.
| open-pull-requests-limit: 10 | |
| open-pull-requests-limit: 10 | |
| - package-ecosystem: "github-actions" | |
| directory: "/" | |
| schedule: | |
| interval: "weekly" | |
| commit-message: | |
| prefix: "chore(deps)" | |
| open-pull-requests-limit: 10 |
| - name: Test with pytest | ||
| run: | | ||
| pip install pytest pytest-asyncio pytest-cov | ||
| pytest --cov=src --cov-report=xml |
There was a problem hiding this comment.
Coverage is collected with --cov=src, but this project does not use a src/ layout/package, so coverage will be empty or misleading. Point --cov at the actual modules/packages in this repo (or use --cov=. / a specific package name).
| pytest --cov=src --cov-report=xml | |
| pytest --cov=. --cov-report=xml |
| run: uv run ruff check . | ||
| - name: Lint with ruff | ||
| run: | | ||
| pip install ruff |
There was a problem hiding this comment.
The workflow installs ruff again even though it’s already installed via pip install -e "..[dev]" above. This can unintentionally upgrade/downgrade the tool version used in CI relative to the project’s dependency constraints. Prefer relying on the version from the dev extras (or pin the version explicitly in this step).
| pip install ruff |
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | ||
| - uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.11" | ||
|
|
There was a problem hiding this comment.
Workflow actions are referenced by mutable tags (e.g. actions/checkout@v4, actions/setup-python@v5). For supply-chain hardening, pin these to full commit SHAs (as the prior workflow did) so a compromised tag can’t change the executed code.
| steps: | ||
| - name: Fetch Dependabot metadata | ||
| id: meta | ||
| uses: dependabot/fetch-metadata@v2 |
There was a problem hiding this comment.
This workflow uses third-party actions by mutable tags (e.g. dependabot/fetch-metadata@v2). Consider pinning action references to commit SHAs to reduce supply-chain risk, especially since this job runs with pull_request_target and write permissions.
| uses: dependabot/fetch-metadata@v2 | |
| uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 |
| uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 | ||
| with: | ||
| skip-existing: true | ||
| uses: pypa/gh-action-pypi-publish@release/v1 |
There was a problem hiding this comment.
pypa/gh-action-pypi-publish@release/v1 is a floating ref. Pin to a commit SHA to prevent unexpected changes in the publishing step (supply-chain hardening).
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| uses: pypa/gh-action-pypi-publish@<FULL_40_CHARACTER_COMMIT_SHA> # release/v1 |
| - name: Create GitHub Release | ||
| uses: softprops/action-gh-release@v1 | ||
| with: |
There was a problem hiding this comment.
softprops/action-gh-release@v1 is a mutable tag. Pin to a commit SHA to reduce supply-chain risk for the release creation step.
Sync shared workflow/config/template baselines from
verygoodplugins/mcp-ecosystem.04bc3912026-04-22scripts/apply-templates.sh --forcescripts/sync-template-baseline.mjsThis PR is generated from the ecosystem source of truth to reduce per-repo Dependabot drift.